Massachusetts Court Broadly Interprets "Personal Identification Information" to Include Zip Codes, Holds Identity Theft Unnecessary to Sustain Private Cause of Action

A Massachusetts federal court ("federal court") certified several privacy related questions of first impression to the Massachusetts State Supreme Judicial Court ("State court") to clarify the scope of state law. In response, the State court broadly construed "personal identification information" ("PII") and held that collecting customer zip codes during credit card transactions violates Massachusetts privacy laws (G.L. c. 93 § 105(a)). The State court also held that plaintiffs can maintain a private action for such a violation even absent any claim of resulting identity theft.  This decision has significant implications for any national or local retailer that conducts business in Massachusetts. The case is Tyler v. Michaels Stores, Inc., --- N.E. 2d ---, 2013 WL 854097 (Mass. Mar. 11, 2013).

In the underlying federal case, a putative class alleged that Michaels Stores ("Michaels") records customers' zip codes when processing credit card transactions—even though credit card issuers do not require this information. Combined with the customers' name, this information purportedly allows Michaels to identify addresses and phone numbers through publicly available databases. The plaintiff claimed that Michaels then uses this information to send customers unsolicited marketing materials. According to the complaint, this practice amounts to writing personal identification information on a credit card transaction form and is therefore an unfair or deceptive trade practice under Massachusetts law. 

The federal court initially granted Michaels' motion to dismiss. Although the federal court agreed that zip codes constituted PII, the court concluded that the plaintiff failed to allege any legally cognizable injury. Subsequently, however, the federal court certified questions regarding the interpretation of the Massachusetts law to the State court, including the type of injury necessary to sustain a claim under state law.

The State court first held that a zip code constitutes "personal identification information." Under the statute, PII includes, but is not limited to, addresses and telephone numbers. Because the complaint alleged that a zip code combined with a name enabled Michaels to obtain address and telephone information, the State court concluded that excluding zip codes from the definition of PII would render the statute's prohibitions meaningless. 

Second, the State court concluded that nothing in the statute requires a plaintiff to allege identity fraud to assert a claim under that statute. To the contrary, the court explained that the text and history of the statute demonstrate that the legislature enacted the provision to safeguard consumer privacy rather than prevent identity theft. The court rejected claims that a violation of the statute itself automatically "injures" the plaintiff, but suggested two cognizable alternatives to identity theft that would be sufficient for at least nominal damages: "the actual receipt by a consumer of unwanted marketing materials as a result of the merchant's unlawful collection of the consumer's personal identification information; and the merchant's sale of a customer's personal identification information or the data obtained from that information to a third party." 

Finally, the State court held that the act applies to electronic and paper credit card transactions equally.

This case is significant for any local or national merchant doing business in Massachusetts. Any such entity that collects zip codes in connection with credit card transactions may be liable for engaging in unfair or deceptive trade practices. The State court's opinion, however, suggests that collecting such information for internal use only—rather than to engage in marketing or to sell the information—might not create a sufficient "injury" to support a private cause of action. Indeed, the State court's opinion is not dispositive to the extent that the putative class must still allege and prove an actual injury such as those the court suggested. Nevertheless, the State court's expansive interpretation of PII should caution companies doing business in Massachusetts to be careful about collecting information beyond what is required by credit card issuers in connection with credit card transactions.